Roland Mainz wrote: > Shawn M Emery wrote: > >> <snip> >> > > One minor nit: > "kserver" is a very generic name. IMO it may be better to name it > "kdcserver" or "krbserver" to make sure it doesn't collide with other > projects using the "k*"-prefix. For example FreeWNN has a "kserver" and > AFAIK KDE has something which sounds similar... >
It was named to match the client equivalent, kclient(1M), but I can see how it may be confusing. > <snip> >> >> 2.1 kserver(1M) script >> >> This will be implemented in a scripting language (ksh) that will >> make calls to Kerberos utilities to configure the master and slave >> KDC servers. These Kerberos and system utilities include: >> kdb5_util(1M) >> kadmin(1M) >> kadmin.local(1M) >> svcadm(1M) >> dig(1M) >> ping(1M) >> > > Minor issue: What about IDN (Internationalized Domain Name) support ? > Yes, I know... Krb5 does not support that yet... but now should this be > handled in theory (for example assume that the admins locale is a > multibyte locale (such as en_US.UTF-8) and then let the script handle > all details) ? > Their are dependencies in Kerberos for implementing this and I would consider this out of scope for this setup script. >> The kserver script will perform basic security checks and warn the >> administrator if it detects a problem. >> > > What about adding a "dry-run" option which does some pre-checks without > changing the configuration ? > Yes, this is what it essentially means: 1. check for existing kdb 2. file permissions 3. DNS configuration 4. etc. >> Given the hundreds of possible KDC configurations it is impossible >> to provide a simple interface to handle all of these. The assumption >> is that this utility will provide configurations for a simple, but >> common subset. >> >> 3. Manual page changes >> >> kserver(1M) is the new CLI for configuring KDC servers. It has an interactve >> interface, but with options that can limit the interaction. >> >> A new man page will be created for kserver(1M): >> >> System Administration Commands kserver(1M) >> >> NAME >> kserver - set up a Kerberos Key Distribution Center (KDC) >> >> SYNOPSIS >> /usr/sbin/kserver [ -a admprincipal ] [ -e enctype ] >> [ -h ] [ -l slave1[:slave2:...] ] [ -r realm ] [ -s ] >> > > What about adding a generic "action" here to define the action which > should be done, e.g. "kserver create" (or "kserver setup") to set up a > Kerberos Key Distribution Center (and reserve any future "action" > keyword (e.g. "kserver adduser", "kserver "rmuser", "kserver destroy", > "kserver backup" etc.) for future usage) ? > I like the general concept, but we wouldn't have to reserve an action keyword, given that we would keep other arguments as options. Some potential actions for this version: setup destroy backup future versions may include: addprinc delprinc addkeytab addxrealm For non-interactiveness I would have to add new options to cover new functionality or require that these actions be interactive. Thanks, Shawn. --
